M9000¶àÒµÎñ°å¿¨×î¼Ñʵ¼ùÅäÖÃÖ¸µ¼Êé ÎĵµÃܼ¶£ºÄÚ²¿¹«¿ª if-match acl 3002
if-match service-vlan-id 20
if-match destination-mac 0cda-41b6-41d8 ¡ª¡ªÆ¥ÅäÄ¿µÄmac£¬Îª±¾µØvlanµÄÐé½Ó¿ÚmacµØÖ· #
traffic classifier up_IPS operator and ¡ª¡ªÉÏÐÐÖ÷IPSÁ÷Á¿Æ¥Åä if-match acl 3001
if-match service-vlan-id 10
if-match destination-mac 0cda-41b6-41d8 #
traffic behavior down_IPS
redirect interface Ten-GigabitEthernet7/0/2 track-oap ¡ª¡ªtrack OAPÐÒ飬¼ì²â°å¿¨×´Ì¬ #
traffic behavior up_IPS
redirect interface Ten-GigabitEthernet7/0/1 track-oap #
qos policy down_IPS
classifier down_IPS behavior down_IPS #
qos policy up_IPS
classifier up_IPS behavior up_IPS #
acl number 3001 ¡ª¡ªÉÏÐÐÁ÷Á¿Æ¥Åä description up_IPS
rule 0 permit ip source 10.1.1.0 0.0.0.255 #
acl number 3002 ¡ª¡ªÏÂÐÐÁ÷Á¿Æ¥Åä description down_ACG
rule 0 permit ip destination 10.1.1.0 0.0.0.255
º¼ÖÝ»ªÈýͨÐż¼ÊõÓÐÏÞ¹«Ë¾
www.h3c.com.cn µÚ33Ò³, ¹²43Ò³
M9000¶àÒµÎñ°å¿¨×î¼Ñʵ¼ùÅäÖÃÖ¸µ¼Êé ÎĵµÃܼ¶£ºÄÚ²¿¹«¿ª #
interface Ten-GigabitEthernet7/0/1 port link-mode bridge description to_IPS port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 100 port trunk permit pvid vlan 100
undo stp enable ¡ª¡ª½ûÖ¹STPÐÒé undo mac-address mac-learning enable ¡ª¡ª½ûÖ¹macµØַѧϰ packet-filter 4000 outbound ¡ª¡ª¹ýÂË·Ç·¨±¨ÎÄ port link-aggregation group 3 #
interface Ten-GigabitEthernet7/0/2 port link-mode bridge description to_IPS port link-type trunk
undo port trunk permit vlan 1 port trunk permit vlan 10 20 100 port trunk permit pvid vlan 100 undo stp enable
undo mac-address mac-learning enable packet-filter 4000 outbound
qos apply policy up_ACG inbound ¡ª¡ªÉÏÐÐÁ÷Á¿Öض¨Ïòµ½ACG port link-aggregation group 3 #
interface Ten-GigabitEthernet7/0/3 port link-mode bridge description to_IPS
º¼ÖÝ»ªÈýͨÐż¼ÊõÓÐÏÞ¹«Ë¾
www.h3c.com.cn µÚ34Ò³, ¹²43Ò³
M9000¶àÒµÎñ°å¿¨×î¼Ñʵ¼ùÅäÖÃÖ¸µ¼Êé ÎĵµÃܼ¶£ºÄÚ²¿¹«¿ª port link-type trunk
undo port trunk permit vlan 1 port trunk permit vlan 10 20 100 port trunk permit pvid vlan 100 undo stp enable
undo mac-address mac-learning enable packet-filter 4000 outbound port link-aggregation group 3 #
interface Ten-GigabitEthernet7/0/4 port link-mode bridge description to_IPS port link-type trunk
undo port trunk permit vlan 1 port trunk permit vlan 10 20 100 port trunk permit pvid vlan 100 undo stp enable
undo mac-address mac-learning enable packet-filter 4000 outbound port link-aggregation group 3
¡ª¡ªËĸöÄÚÁª¿Ú£¬·ÖÁ½¶Ô£¬12¿ÚÒ»¶Ô£¬34¿ÚÒ»¶Ô¡£
Èç¹ûÔÝʱʹÓÃ12¿Ú£¬34¿Ú²»Ê¹Óã¬IPS²à¿ÉÒÔshutdown£¬²»Òª¹Ø±ÕM9000²âÄÚÁª¿Ú #
interface Bridge-Aggregation3 port link-type trunk
undo port trunk permit vlan 1 port trunk permit vlan 10 20 100 port trunk permit pvid vlan 100 port trunk pvid vlan 10
º¼ÖÝ»ªÈýͨÐż¼ÊõÓÐÏÞ¹«Ë¾
www.h3c.com.cn µÚ35Ò³, ¹²43Ò³
M9000¶àÒµÎñ°å¿¨×î¼Ñʵ¼ùÅäÖÃÖ¸µ¼Êé ÎĵµÃܼ¶£ºÄÚ²¿¹«¿ª link-aggregation selected-port minimum 4
¡ª¡ª×îСѡÔñ¶Ë¿ÚÊýΪ4£¬µ±4¸ö½Ó¿ÚÖÐÈÎÒâÒ»¸ö½Ó¿Údown£¬¾ÛºÏ¿Ú¾Ídown.(ʵ¼ÊÉÏÈκÎÒ»¸ö½Ó¿Údown¶¼ËµÃ÷²å¿¨³öÏÖÁËÎÊÌâ) undo stp enable
undo mac-address mac-learning enable ¡ª¡ª¾ÛºÏ¿Ú±ØÐëÅäÖà oap enable
¡ª¡ªIPS Enhanced²å¿¨×öOAP¼ì²â±ØÐë´´½¨¾ÛºÏ¿Ú£¬½«ÄÚÁª¿Ú¼ÓÈë¾ÛºÏ¿Ú£¬²¢ÔھۺϿÚʹÄÜoapÐÒé×¢²á²å¿¨¡£
ÄÚÁª¿Ú±ØÐëÐÞ¸ÄPVID£¬²¢±¾µØ´´½¨pvid¶ÔÓ¦µÄvlan¡£
IPSºÍACG²å¿¨ÐèҪʹÓÃQoSÒýÁ÷£¬Èç¹û²å¿¨¹ÊÕÏ£¬Öض¨Ïò¶¯×÷ͨ¹ýOAPÐÒé¼ì²âµ½ºó²ßÂÔʧЧ£¬Á÷Á¿²»ÔÙÖض¨ÏòÖÁ²å¿¨¡£
¶þ²ã±¨ÎĹýÂËÅäÖÃ
ÐèÒª½«³£¼ûµÄ¶þ²ã±¨ÎÄ£¨Èç¹ã²¥¡¢×é²¥¡¢ARP£©ÔÚIPSÄÚ²¿½Ó¿ÚÉϽøÐйýÂË·ÀÖ¹¶þ²ã»·Â·µ¼Ö¹㲥·ç±©£¬Í¬Ê±»¹ÐèÅäÖÃIPSËùÔÚ½Ó¿Ú½ûֹѧϰMACµØÖ·¡£
acl number 4000 description filter
rule 0 permit type 0800 ffff dest-mac 0cda-41b6-41d8 ffff-ffff-ffff ¡ª¡ªÔÊÐíÈý²ãÒýÁ÷±¨ÎÄ rule 10 deny dest-mac 0100-0000-0000 ff00-0000-0000
rule 20 deny dest-mac 3300-0000-0000 ff00-0000-0000 ----×èÖ¹×é²¥±¨ÎÄ(°üº¬88a7ÀàÐÍ) rule 30 permit type 88a7 ffff ¡ª¡ªÔÊÐíoapÐÒ鱨ÎÄ rule 100 deny #
interface Ten-GigabitEthernet7/0/1 port link-mode bridge description to_IPS
º¼ÖÝ»ªÈýͨÐż¼ÊõÓÐÏÞ¹«Ë¾
www.h3c.com.cn µÚ36Ò³, ¹²43Ò³